[BlueOnyx:13902] Re: Blueonyx Digest, Vol 58, Issue 30
wcstaff at webcoast.com
wcstaff at webcoast.com
Wed Oct 23 09:35:58 -05 2013
> -----Original Message-----
> From: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] On
> Behalf Of Stephanie Sullivan
> Sent: Wednesday, October 23, 2013 10:16 AM
> To: 'BlueOnyx General Mailing List'
> Subject: [BlueOnyx:13901] Re: Blueonyx Digest, Vol 58, Issue 30
>
> Gen,
>
> This is much more interesting than you might realize. The big answer is:
it
> depends.
>
> In the typical BX setup each server is a DNS master for the domains of the
> sites it hosts. This is how the per-site dns management works. Back in the
> good old RaQ3/4 days we set our design to use dedicated servers for DNS.
> Since we were making all the changes we just setup two servers to be
master
> and slave to all the zones.
>
> If you do NOT run DNS servers on your BX server then no special rules.
>
> If you do run a DNS server on your BX box I open TCP and UDP incoming to
> port 53. I don't use IPTables based "recent" limiting on DNS like wcstaff
> suggests but it's not too bad of an idea. I do use it on other services
like
> ssh, ftp, pop and imap. The recent module needs to be cleared out every
once
> in a while or it can result in inaccurate blocking (in my experience). But
> it can be VERY
> useful.
>
> I just open up UDP and TCP incoming to port 53. Most DNS access that isn't
> zone transfer should happen through udp.
>
>
> By all means - turn OFF recursion except for your own servers. You almost
> certainly don't need to resolve zones off your server except for requests
> from your own servers. That prevents a plethora of abuseive actions.
>
> I hope this is helpful.
>
> Thanks,
> -Stephanie
>
Stephanie,
I would be interested in seeing your IPTables based "recent" settings for
SSH, FTP, especially POP and IMAP?
I do have some SSH settings similar to the port 53 settings I posted. But I
get hammered all the time by the same IP addresses for emails.
I did ask on the list, if there were any useful settings for that. But I
never got a response.
Thanks for the input
Tom
More information about the Blueonyx
mailing list